HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

Vault Secrets Operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets and HCP Vault Secrets Apps natively from Kubernetes Secrets.

Overview

The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). Each CRD provides the specification required to allow the operator to synchronize from one of the supported sources for secrets to a Kubernetes Secret. The operator writes the source secret data directly to the destination Kubernetes Secret, ensuring that any changes made to the source are replicated to the destination over its lifetime. In this way, an application only needs to have access to the destination secret in order to make use of the secret data contained within.

Features

The following features are supported by the Vault Secrets Operator:

  • Support for syncing from multiple secret sources.
  • Automatic secret drift and remediation.
  • Automatic secret rotation for Deployment, ReplicaSet, StatefulSet Kubernetes resource types.
  • Prometheus specific instrumentation for monitoring the Operator.
  • Support for installing using: Helm or Kustomize
    see the installation docs for more details
  • Support for secret data transformation.

Supported secret sources

The Vault Secrets Operator supports syncing from multiple secret sources. Refer to the secret sources overview for more details.

Supported kubernetes versions

The following Kubernetes minor releases are currently supported. The latest version is tested against each Kubernetes version. It may work with other versions of Kubernetes, but those are not supported.

  • 1.29
  • 1.28
  • 1.27
  • 1.26
  • 1.25

Supported Kubernetes distributions

The Vault Secrets Operator has been tested successfully in the following hosted Kubernetes environments:

  • Amazon Elastic Kubernetes Service (EKS)
  • Google Kubernetes Engine (GKE)
  • Microsoft Azure Kubernetes Service (AKS)
  • Red Hat OpenShiftCERTIFIED

Basic integration tests are available in the project repository. Please report any issues here.

Threat model and security considerations

HashiCorp takes security seriously and strives to enable users to configure their systems with security and safety in mind. Please see the Vault Secrets Operator's Threat Model for highlights on how using the Vault Secrets Operator affects users' security posture and recommendations for running securely.

Tutorial

Refer to the Vault Secrets Operator on Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.